Data Breaches Hit 113 Health Care Organizations, Report Says

Of the 385 organizations hit with data breaches so far this year, 113 were in health care, according to the Identity Theft Resource Center's report for July 28. Just 39 breaches have been reported in banking and finance according to the ITRC. Experts cite a lack of compliance and improper data access by insiders as culprits.

A total of 113 health care facilities have been hit with data breaches in
2010, compared with only 39 banking/finance firms, according to a July 28
report by the Identity Theft
Resource Center.
Hospitals are vulnerable to insider data breaches with the multitude of
doctors, nurses, lab technicians, janitors and food service personnel
circulating throughout the facility, according to Jay Foley, executive director
of the ITRC.

In one incident reported by the ITRC, a former UCSF (University
of California, San
Francisco) Medical
Center employee used fellow
workers' Social Security numbers to fill out health surveys that won him
hundreds of $100 vouchers for an Amazon.com shopping spree. The former employee
pleaded guilty to wire fraud in federal court.

In another case cited in the ITRC report, the Colorado Department of Health
Care Policy & Financing notified 105,470 clients receiving state-provided
health insurance that a hard drive had been stolen containing their state ID
numbers.
The organization obtained its information on the health care data breaches
from the U.S. Department of Health and Human Services, Foley told eWEEK. To
qualify as a breach, the data had to include financial account information, as
well as driver's license and Social Security numbers, he explained.
Meanwhile, BridgeHead Software, a storage-virtualization firm, reported in
its International 2010 Data Management Healthcheck survey that 69 percent of
health care organizations expect their volume of stored data to increase this
year. However, by comparison, only 44 percent of hospitals surveyed planned to
make disaster recovery a top IT spending priority.
Frank Kenney, vice president of global strategy at Ipswitch, noted that
health care facilities are not complying with HIPAA (Health Insurance
Portability and Accountability Act) and regional government regulations on data
privacy. Even signing your name in at the front desk in a doctor's office for
all to see is a breach of HIPAA regulations, according to Kenney.
Having a nurse encrypt your signature digitally would be better, he said.
Kenney told eWEEK that full compliance and visibility as well as avoiding
storage of personal medical data on flash drives and CD burners are essential
measures to averting data breaches.
As Verizon reported in its 2010
Data Breach Investigations Report, in collaboration with the U.S. Secret
Service, 48 percent of data breaches across all industries were caused by
insiders. "There's a fairly significant amount of breaches coming from insiders
who have access to the data," Kenney said.
One heavily publicized example occurred in 2008 when the UCLA
Medical Center
fired employees for selling the health
records of Britney Spears and Farrah Fawcett to the National Enquirer.
Most hospitals are focused on preventing unauthorized access by outsiders,
using firewalls, rather than preventing intrusion by insiders, said Phil Neray,
vice president of security strategy for IBM's
Guardium security platform, which analyzes transactions in databases for
suspicious activity. "Firewalls have been insufficient in preventing
unauthorized access by insiders," he told eWEEK.
On July 19, South Shore
Hospital, in South
Weymouth, Mass., reported the
potential loss of 800,000
backup files containing personal, health and financial information of
patients, physicians and other individuals connected with the medical facility.
With double the amount of data breaches for health care facilities (108)
compared with banking/finance firms (39), the financial institutions are more
equipped to monitor database activity than health care companies, according to IBM's
Neray. "All of the major banks have implemented this technology, but very
few hospitals have," he said.
Neray noted that the health information exchanges outlined under federal meaningful
use guidelines of electronic medical records will centralize data in big
data warehouses, thereby increasing the risk for data breaches.
The Web is a vulnerable spot as far as data breaches, noted Michael Maloof, CTO
of TriGeo Network Security, which makes
the TriGeo Security Information Management device. "Going through the
[ITRC] report, I did see a number of cases that referred generically to server
breach. The vast majority of these are from client-based breaches based from
the Web," he told eWEEK.
If a breach does occur, ITRC's Foley said it's important to take a snapshot
of your system to provide to law enforcement. "No matter who you had in
your organization, there will always be some thief to create grief and havoc
for you," he said.

Brian T. Horowitz is a freelance technology and health writer as well as a copy editor. Brian has worked on the tech beat since 1996 and covered health care IT and rugged mobile computing for eWEEK since 2010. He has contributed to more than 20 publications, including Computer Shopper, Fast Company, FOXNews.com, More, NYSE Magazine, Parents, ScientificAmerican.com, USA Weekend and Womansday.com, as well as other consumer and trade publications. Brian holds a B.A. from Hofstra University in New York.